How to Change Security Best PracticesA New Environment Requires a New Approach
Healthcare organizations need to revise security best practices and tap new technologies as a result of the growth in health information exchange and the use of mobile devices, says Carl Gunter, a professor of computer science at the University of Illinois at Urbana-Champaign. He heads a federally-funded research project designed to pinpoint the best security techniques.
"It's hard as a hospital CIO to know what part of the system you need to secure these days," says Gunter in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below). "With the development of health information exchanges, as well as the explosion in the use of mobile devices, "you're unsure what measures you need to take," he says.
As a result, researchers are tackling such areas as access control and auditing; advancing encryption and the automation of policy for the exchange of data.
The University of Illinois' Information Trust Institute is leading the four-year, federally funded Strategic Healthcare IT Advanced Research Projects on Security, or SHARPS.
Emerging issues that the SHARPS project is working on, Gunter says, include data segmentation when sharing data. "This is a problem that's extremely difficult and has a lot of ramifications. We don't really have the technology to understand how to do it, but it's often demanded by patients," he says.
Another issue looming is protection of genomic data, which Gunter says will eventually become part of electronic health records.
In addition to his role as a professor in the computer science department and college of medicine at the University of Illinois, Gunter also serves as the director of the Illinois Security Lab and the university's Health Information Technology Center.
MARIANNE KOLBASUK MCGEE: Tell us about your organization and your role
CARL GUNTER: I'm a professor at the University of Illinois at Urbana-Champaign. I work as part of the Information Trust Institute, which is devoted to studying issues with the dependability and security of computer systems. We were privileged to lead a consortium of universities working on the research challenges associated with security and privacy in healthcare, and we're about two years into a four-year effort on that.
SHARPS Project: Key Findings
MCGEE: The SHARPS project is studying strategies for keeping data secure and private in e-health records, telemedicine, health information exchanges and some other key technology areas. What key findings has the research turned up so far?
GUNTER: Just to clarify about our role, there are many aspects of security and privacy for healthcare that can be accomplished by a diligent application of known security precautions, and these kinds of best practices can greatly improve the security and privacy of healthcare organizations. Our area is to look at those points of novelty where things are changing and it's not clear that best practices are sufficient, so one needs new ways of doing things, novel techniques.
We've been making progress on both identifying the areas in which those kinds of efforts are needed and on actually contributing some of the technologies that are required in those areas. I could break down into a few categories some of the findings.
One is the use of techniques of audit and of access control to determine when there have been abuses to the system. Another is the development of techniques to use encryption in order to control the trusted base that's required for the systems that are being used. And another is the automation of policy for the exchange of data between enterprises and even within enterprises, dealing with things like federal, state, local and enterprise rules. Finally, there's a great need to make progress on mobile health where there has been a flood of new types of devices and techniques coming in that are changing the healthcare enterprise.
For our contributions in these areas, for the access control and audit, what we've been interested in and where we've been making progress is on techniques that go beyond manual analysis. For example, you might look through the logs and see if you think that anybody did something that they shouldn't have done in terms of access. Those things range from curiosity things, like someone looking up a former spouse to see what their medical record is, to major fraud efforts, where someone is mining the data for Social Security numbers or for information that can be used in fraudulent billing. What we need in this space is to move ahead on ways of doing this with more automation. ... We've been developing a variety of strategies in that area, and a general technique called experience-based access management, which is a continuous process improvement technique to fold experience with violations into the next generation of technologies for protection.
On the area of encryption and trusted base, one of the big advances here is that encryption techniques now include new kinds of strategies for doing encryption. An example is attribute-based encryption in which you can encrypt data under the attributes and policies for the people who are supposed to be able to read it. What this allows you to do is to give an extra level of protection - not just at the level of access to the system but in fact the ability to decrypt a system. This has valuable applications in a number of areas. And as you can see when you look at the [Department of Health and Human Services'] "wall of shame" for the data breaches, many of them are caused by things that could have been addressed by proper encryption. Trying to understand the trusted base and develop technologies to manage the trusted base is one key area that we've been trying to push forward on.
Another one is automated policy. As healthcare enterprises are growing, they are adding new partners. Then we have developments like health information exchange, where we want to exchange data between independent healthcare organizations. If you have to hand over to a lawyer the review of every exchange that you're going to make before you feel confident to make that exchange, it's going to be very expensive and slow.
As in the case with the audit techniques, we want things that involve more automation, where the computer can decide whether data sharing is acceptable or not. In this area we've been looking at developing systems that can do those formal representations. Policies integrate well with current electronic health record systems. So you can do the sharing between enterprises with properly described policies that would allow you to exchange based on decisions that can be made by a computer rather than turned over, for example, to an attorney.
In the area of mobile health, what we have is a change in the way data is collected for hospitals. It used to be maybe that all the sensors and actuators are actually in the hospital, and now with the kinds of devices that people can have, ranging from implants to health and fitness devices, you can collect data in many different places. This is a big change in the healthcare environment, so we need to get our minds around where the threats are to the sharing of that kind of data. For example, in the sharing of data with intermediaries that are not HIPAA compliant and not required to comply with HIPAA, the way medical data are handled will be different.
Also, for the devices - from simple devices like thermometers at one end to devices like implanted defibrillators at the other end - one sees convergence between the techniques being used. For example, you might expect your insulin pump to talk to a cell phone, and so here we have to look at questions of the security of that cell phone and its ability to talk to a medical device that could be safety critical. We've been making advances there and clarifying, particularly, the requirements and coming up with techniques to enable those things to operate safely, even when they are adversarial threats. That gives a little bit of a run down.
Biggest Privacy, Security Challenges
MCGEE: What would you say are some of the biggest challenges that healthcare providers are dealing with when it comes to privacy and security right now?
GUNTER: Let me come back to some of the emerging issues [tied to] some of those points I just raised. In the area of trusted base and encryption, it's hard as a hospital CIO to know what part of the system you need to secure these days. It used to be the case that you had a computer in the hospital and then some dumb terminals on the wards and you secured that, but it got more complicated with the Internet. But now you have things like development of health information exchanges in which you're sending data out of the hospital to systems that are shared in communities and then you have bring-your-own-device situations where physicians may bring devices into the hospital and then put sensitive data on those devices. And you're unsure what measures you need to take to secure those devices.
Then there are a variety of new kinds of things. For example, people get difficulties from attacks that are directed say at universities in the areas of things like persistent threats. These things then have collateral damage into the medical systems where they can infect medical systems throughout the hospital. Increasingly sophisticated attacks, even if they're not targeted at the medical area, can have ramifications for medical devices that can be compromised as part of attacks. This area of, "What do I have to secure and how do I manage the threat," is a big area that is developing for healthcare organizations.
Another example along the lines that I mentioned earlier is the question of how you're going to manage the patients collecting data on their own devices: Do you trust that data, and do you want to hand them devices that they can use to collect the data so that you can have a trusted device that you created? Those are questions that people are going to have to confront in the next few years.
Improving Data Security Practices
MCGEE: Where are you seeing improvements in health data security practices and what's most troubling to you?
GUNTER: I think that we see a lot of improvements in organizations instituting best practices. The implementation of best practices in existing enterprise systems is moving along. ... Where I see more trouble is instances where that model begins to break down and where following the same procedures that have been employed for the enterprise are attempted, for example, on health information exchanges. The practice of having a trusted pool of employees that have a large level of access to the system and then you account for it within a single EHR system is not necessarily scalable to a health information exchange that works throughout a community. [In that case,] the number of people involved will be larger, and it would be even more troubling to extend that kind of system to a state or even nationwide. We need techniques that can scale up to these much higher levels of sharing. And just applying the techniques that we're familiar with at the enterprise level has to be augmented with techniques that can make it more scalable.
MCGEE: What are your thoughts about encryption and other technologies, policies and practices that healthcare providers should consider to improve the security of their patients' data, especially with mobile devices and bring-your-own-device, since that is becoming so popular in healthcare environments?
GUNTER: That's an area in which we do see some improvement in at least doing the routine things. It's possible to take a laptop and assure that you've encrypted the data so that if the laptop is left behind in a car and the car is broken into and the laptop is taken, you can mitigate the risks from this. There have been proposals for far more advanced approaches to the use of encryption as a protection measure where we will need some more innovation and boldness in the planning to adopt those things - for example, encryption of the data in the health information exchanges. We're making reasonable progress on moving from encryption of data in flight, which has been very well adopted by the healthcare industry, to also trying to do more with the encryption of data at rest. That's a good trend, and it's particularly related to bring-your-own-device, since if you do bring-your-own-device then it's important to limit the amount of vulnerable data that's sitting on that device. Encryption can help there.
In another area where it can have value is in the use of cloud technologies. When one is storing data in clouds, the data could be, in some cases, encrypted to limit the threat to a compromised cloud provider, and so there are some trade-offs there. For example, you can't search data perhaps that has been encrypted so you would lose some of the functionality of the encrypted data. Those are where some aspects of innovation will be desirable to try to move us ahead on how completely we can use encryption in those contexts.
There are interesting kinds of cryptography that can allow techniques like searching data that's encrypted. Research techniques based on things like multi-party computation allow you to find out certain limited things about data without revealing other facts about the data, so you can control the information that's released.
MCGEE: What do you think the biggest threats to healthcare data security will be in the future?
GUNTER: Let me give two areas where I think we're going to have a major question. One that comes up repeatedly is the question of how you're going to secure data with respect to the sensitive components so that the sharing can be done with what they call "data segmentation." This is a problem that's extremely difficult and has a lot of ramifications where we don't really have the technology to understand how to do it, but it's often demanded by patients.
If a patient goes to see a podiatrist to get problems with their feet looked at, then should the podiatrist get access to their mental health notes? Patients are uncomfortable with widespread sharing of their records with people when they feel like there's a need-to-know aspect. Where you might have previously had a separate entity that handles mental health data, different from an entity that would handle other health dimensions, as those things become more consolidated, you end up with this problem of: Do you share all of the record, or can you share parts of the record?
The question of how to share parts of the record, without endangering the patient by having information withheld from parties that need to know that information, is a big problem. This kind of technology for data segmentation is going to be one of the things that we'll be looking at in the future. We don't know how to do this now or how to examine the techniques that are proposed and test them as to whether they're effective.
Another one that's looming ahead is personalized medicine and genomic data. Molecular data will become part of records in the future, things like the DNA sequencing. As we're getting cheaper and cheaper techniques of doing gene sequencing, you might reasonably expect to get a gene sequencing for someone and then that information could be shared between different providers so that they can use that information to do things like drug dosage levels or to prioritize certain kinds of threats. When they're doing diagnoses, they could look at the DNA data and consider some diagnoses more likely than others based on that. And so there will be a raft of these new techniques.
But also, that DNA data is personal and it's difficult to see what you even mean by de-identifying it for purposes of research, despite the fact that there are huge research opportunities that would be available for doing research on the relationships between diseases and genotype data. That's a second area that I think is going to be emerging over time - the secure and privacy-respecting management of the genomic data.